Howto::Firewall
Overview
Using a firewall to limit services to VT Campus is a quick and easy way to protect your services and server from getting hacked. The service can still be accessible from outside Campus by using VT's VPN service. These instructions show you how to protect a service running on TCP port 3306, you can change the port number to protect other services.
There are different firewall programs available on different Operating Systems. Make sure you follow the instructions for the specific firewall running on your operating system.
firewalld
As of RedHat/CentOS 7, firewalld is the default firewall program. firewalld uses "zones" to separate traffic. We will create a new "campus" zone that you can use to limit services to just Campus/VPN.
Create new zone
sudo firewall-cmd --new-zone=campus --permanent
sudo firewall-cmd --reload
Set the source ranges
sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent
sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent
sudo firewall-cmd --zone=campus --add-source=172.16.0.0/12 --permanent
sudo firewall-cmd --zone=campus --add-source=45.3.64.0/18 --permanent
sudo firewall-cmd --zone=campus --add-source=2001:468:c80::/48 --permanent
sudo firewall-cmd --zone=campus --add-source=2607:b400::/40 --permanent
- Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list
Add the service(s)
sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent
- You add additional ports as needed, just change the port number
Check your rules
sudo firewall-cmd --zone=campus --list-all